Protect your data at rest with disk encryption on Linux VMs and deploying them as Infrastructure as Code.

VM with disk encryption
In this blog post I’ll describe the steps to take for creating a Marketplace Linux VM with key encryption key (kek) disk encryption (dm-crypt) using ARM templates as much as possible. To do this we will follow the following steps:

Create Key Vault ARM template

Create a Service Principle for VM access to the Key Vault

Deploy the Key Vault

Add Key to Key Vault

Deploy the Marketplace VM using ARM templates

As a result you will have a VM with encrypted disks. The encryption keys/secrets are stored in the Azure Key Vault.

To execute the steps in this tutorial you are expected to have a basic knowledge of Powershell and execution of ARM (linked) templates on Azure.

Step 1: Create Key Vault ARM template
To deploy the Key Vault I use an ARM template for deployment. The template has 3 parameters: keyVaultName, tenantId, objectId. The tenantId is the tenant id of current subscription. The objectId is the AAD user or Service Principle that will access the Key Vault. The below Key Vault is only enabled for disk encryption:

Step 3: Deploy Key VaultNow you can deploy the ARM template with the parameters with the following Powershell command: New-AzureRMResourceGroupDeployment. After deployment you have a Key Vault with a Service Principle which is able to set the key for disk encryption in the Key Vault.

Step 5: Create the Marketplace VM with disk encryptionIn this step we take a Marketplace VM and add disk encryption to the template. Currently disk encryption is supported on the following Linux distributions – RHEL 7.2, CentOS 7.2, Ubuntu 16.04. In this case we take a RHEL 7.2.

The ARM template first creates a Marketplace RHEL 7.2 VM, then apply the disk encryption extension and finally enable the disk encryption with a linked template on the VM.

Next you have to reboot the machine when the encryption is done. You can check for pending reboots with the following command: Get-AzureRmVMDiskEncryptionStatus. You can also see if the disk encryption was successful. A script to check if reboot is needed can be found here: Restarting Azure VMs after encrypting the disks.

ConclusionWhen using this sample code you will be able to make a VM with kek disk encryption key. The keys are stored into the Key Vault. When using ARM templates in advantage of Powershell script it enables you to go for an Infrastructure as Code scenario, and manage VMs as cattle instead of pets.

You can leave the line: -_linkedTemplateDiskEncriptionUri “” out of the script. Then the template will pick it up from the default location:
“_linkedTemplateDiskEncriptionUri”:{
“defaultvalue”:”https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-encrypt-running-linux-vm/updatevm-kek.json”,
“type”:”string”,
“metadata”: {
“description”: “location of the linked template”
}
},

1) Does both BEK and KEK encryption work on image gallery VMs or it works on captured image as well?
2) If I already have storage and virtual network created, does this json template will overwrite those or it will skip creating the storage and virtual network.

I am facing challenges encrypting Linux VMs with both BEK and KEK as it is the requirement for Azure backup.

Yes you can do both BEK and KEK. Look at the parameters of the _linkedTemplateDiskEncryptionUri it’s template.
When the storage and network is there, nothing is created. You can also remove them from the template and set the correct names.

Thanks. One last question. I have some VMs with just BEK encryption. How can I apply the KEK encryption on them without decrypting (Linux OS disk can’t be decrypted as per MS article). Do you have any json template for the same?